Closed Bug 1871950 Opened 1 year ago Closed 1 year ago

Crash [@ ??] with JS_LIFO_UNDEFINED_PATTERN poision

Categories

(Core :: JavaScript: GC, defect)

Product:
Core
Component:
JavaScript: GC
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1871089
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox121 --- wontfix
firefox122 --- fixed
firefox123 --- fixed

People

(Reporter: decoder, Unassigned)

References

(Regression)

Details

(5 keywords, Whiteboard: [bugmon:update,bisect])

Crash Data

Attachments

(2 files)

Detailed Crash Information
755 bytes, text/plain
Details
Testcase
106 bytes, text/plain
Details

The following testcase crashes on mozilla-central revision 20231225-fdd85a789550 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --enable-parallel-marking --fast-warmup):

gczeal(4);
function a() {
    function b() {
        new a("return this.value");
    }
    [new b];
}
a();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00000cbcf2c96d87 in ?? ()
#1  0xfff9800000000000 in ?? ()
#2  0x000038cc67d6a040 in ?? ()
#3  0x0000000000000000 in ?? ()
rax	0xcdcdcdcdcdcdcdcd	-3617008641903833651
rbx	0x7ffff2c8ad00	140737266625792
rcx	0xfff9800000000000	-1829587348619264
rdx	0x1	1
rsi	0xcbcf2c96a30	14005666671152
rdi	0x7ffff2bbe398	140737265787800
rbp	0x7fffffff71d0	140737488318928
rsp	0x7fffffff7180	140737488318848
r8	0x4	4
r9	0x7ffff2c3f000	140737266315264
r10	0x2	2
r11	0x7ffff3d2e1b0	140737284071856
r12	0x0	0
r13	0x7fffffff7cd0	140737488321744
r14	0x7ffff3d2e100	140737284071680
r15	0x1	1
rip	0xcbcf2c96d87	14005666672007
=> 0xcbcf2c96d87:	mov    0xa0(%rax),%ecx
   0xcbcf2c96d8d:	add    $0x1,%ecx

Parallel marking (GC) issue with poison pattern, marking s-s.

Attached file Testcase

Unable to reproduce bug 1871950 using build mozilla-central 20231225214719-fdd85a789550. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

I'll assume this is bad. Feel free to remove or adjust the rating.

Keywords: csectype-uaf, sec-high

I can repro this without parallel marking enabled e.g. with these options: --fast-warmup --ion-offthread-compile=off --gc-param=parallelMarkingEnabled=0

Summary: Crash [@ ??] with parallel marking → Crash [@ ??] with JS_LIFO_UNDEFINED_PATTERN poision

Bisection points at bug 1863939, which seems plausible given the poison value.

Flags: needinfo?(jdemooij)
Regressed by: 1863939

Set release status flags based on info from the regressing bug 1863939

status-firefox121: --- → affected
status-firefox122: --- → affected
status-firefox-esr115: --- → unaffected

This looks like bug 1871089. I'll look into both.

Yes this is a duplicate of bug 1871089. The test case is nice because it reliably hits both issues identified there.

Status: NEW → RESOLVED
Closed: 1 year ago
Duplicate of bug: CVE-2024-0744
Flags: needinfo?(jdemooij)
Resolution: --- → DUPLICATE
Group: javascript-core-security → core-security-release

Making Firefox 122 security bugs public. [bugspam filter string: Pilgarlic-Towers]

Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: